Unquestioned Trust: How the Financial Industry Can Create Secure (and Seamless) Online Banking Experiences

As their investment in digital transformation increases, banking organizations are learning a valuable lesson that all comes down to trust.

In our current pandemic era, customers are dramatically accelerating the demand for this transition. According to the World Retail Banking Report 2020 from Capgemini and Efma, 57 percent of clients surveyed now prefer (and implicitly trust) online to in-person banking (up from 49 percent pre-COVID-19) and as much as 55 percent favor using mobile banking apps (up from 47 percent). As a result of these increases, the global online banking market is expected to reach $20.5 billion by 2026, up from $9.1 billion in 2019, according to a forecast from Valuates.

At the same time, industry executives fully know and trust that hackers are increasing their interest in online banking, too, hoping to cash in on easy-money growth. Four out of five executives cite security/privacy concerns as the primary adoption obstacles to implementing a digital platform model, according to the Capgemini/Efma report. And their reservations are well-founded. Banking trojans such as Dridex, Trickbot and Ramnit are stealing account credentials, gaining remote control of infected systems, intercepting and redirecting users to hacker-controlled servers, and launching spam and malware campaigns.

In June, the FBI issued a warning about the likelihood of cyber criminals targeting mobile banking customers through malicious programs disguised as banking apps. Overall, cyber attacks against the financial sector have grown by 238 percent and ransomware incidents have spiked nine-fold since the outbreak began, according to the VMware Carbon Black, “Modern Bank Heists 3.0” research report.

To counter the onslaught, banks are going beyond phishing and social-engineering-vulnerable passwords and are increasing their authentication requirements with device-level authentication. For example, if an account holder types in the right password from an IP address that also matches what’s “in the file,” then the log-in is approved. But this isn’t enough in our global, mobile, “digital transformation” age. Users now connect ubiquitously from multiple devices, making this device-fingerprinting and its continual ‘verifications’ more cumbersome to users and less reliable for security.

Unfortunately, financial institution leaders often believe that implementing two-factor authentication with challenge questions like, ‘What’s your favorite meal?’ and ‘What city were you born in?’ will close the gap. But cyber criminals easily circumvent these controls. Via SIM swapping, for instance, they take control over a victim’s phone number by convincing the victim’s mobile carrier to switch their subscriber identity module (SIM) to a new SIM card located in a device under attacker control. With this, the attacker can then hijack the one-time codes sent via SMS, thus exploiting the two-factor authentication. And as for answers to personal security questions that “only” the legitimate user should know? The same user is literally giving these personally identifiable answers away in their daily social media posts and often within their stolen, personal emails.

What’s worse is that increasing friction into the consumer experience runs counter to the purpose of digital transformation and the goal of both secure and seamless, online banking experiences. These ‘enhanced’ security measures force users to take multiple, burdensome steps to conduct their business. And when pushed too far, financial institutions start finding their services are more secure as a result of having fewer customers.

Fortunately, there is a better way. Breakthroughs in software and mobile technology are proving the reliability of using behavioral biometrics to deliver stronger, yet more user-friendly, authentication. Behavioral biometrics validates users by tracking how they physically interact with sites, apps and device interfaces – whichever device the customer chooses to engage from.

Unique attributes like how an individual presses on touchscreens, moves a mouse, types on a keyboard and holds a smart phone are automatically analyzed to identify suspicious logins and nefarious activities without impacting the authentic customer experience. And because malware and bots are unable to replicate and impersonate both unique and innate human behavior, the technology can rapidly detect and alert on anomalies offering the time to quickly intervene or dramatically reduced effort to resolve fraud investigations. As a result, the interaction is more secure with the process invisible to the banking customer.

There is no turning back in the digital transformation journey. You commit. You invest. You innovate. And then you keep at it, with continuous improvement as a constant driver. And remarkably, it requires a zero-trust approach so that trust, as in human-human interactions, is continuously assessed, built, and evolved with every engagement.

Jordan Blake, BehavioSec